I received some very sad news this morning – Melissa Claros (one of my colleagues at the Weehawken Volunteer First Aid Squad) lost her husband, Robert, suddenly this weekend. Melissa and Rob shared love and a common desire to help their communities. Rob was an EMT for the West New York ambulance squad and a volunteer fireman in their town in Pennsylvania and Melissa is a volunteer EMT here in Weehawken. Rob was just 28 years old and he leaves Melissa not only with a broken heart, but also two young children to raise while she attends nursing school.
While there is nothing we can do to fill the void in Melissa’s heart left by Rob’s untimely passing, we can help her and her kids deal with some of the financial burdens which they face now and in the future.
Rob’s colleagues in West New York have set up a GoFundMe page to help the family out at this difficult time. Rob and Melissa have consistently stepped up to help their communities. Rob was and Melissa is “good people” who could use some help.
Sometimes, saving money can cost you money (like $81 million)… Apparently the hackers who made off with millions from the Central Bank of Bangladesh had some help from the bank’s IT department, who decided to save money by foregoing firewalls and purchasing used routers that could not segregate private from public traffic. My new favorite information security quote of all time was in this article:
A firewall would have made attempts to hack the bank more “difficult” Mohammad Shah Alam, a forensic investigator who works on the Bangladesh team investigating the theft, told Reuters.
Yes. Yes it would. Can’t get anything past this guy.
Be careful when typing those URLs! TypoSquatters register domains which are very similar to those of popular sites and use them to serve up malware to the unwary. Leave the “c” off of “.com?” You could end up at a shady Omani domain bearing gifts you don’t want to get!
A reminder that while iOS still seems to be safer from malware threats (as long as you don’t jailbreak your device), Apple’s walled garden is not totally weed free. Researchers found malicious apps in Apple’s App Store which use vulnerabilities in iOS’s digital rights management software to install malware on standard (non jailbroken) devices. This particular family of malware only targets devices located in mainland China, but there is no guarantee that others may try and exploit this issue to infect other users.
Apple removed the malicious apps from the App Store when they were informed of the issue, but it is important to note that the apps stayed up in spite of multiple reviews by Apple until then.
We iDevice users have been quite lucky when it comes to malware, but it is important to remember that iOS is not immune to malware attacks. The best defense is to be choosy about the apps you install – if you have not heard of an app, look for reviews and information out on the net before downloading it to your phone.
Of course, Donald Trump promises to build a “terrific” wall around Apple’s App Store and make Mexico pay for it…
OK, I already tweeted this story with a snarky comment about spelling, but there is an interesting lesson to be learned from this incident. It was plain old human intervention that kept an $80 million dollar fraud from becoming an $800 million plus fraud against Bangladesh Bank. Educating your people to recognize out of the ordinary behavior is one of the best security investments you can make. (Not that losing $80 million is a great outcome).
Yesterday, at ShmooCon, security researcher Sean Cassidy announced a vulnerability in the popular LastPass password manager. He demonstrated a way that an attacker could send a user a phishing email, redirecting them to a specially crafted web page which logged them out of LastPass and presenting a “pixel perfect” copy of the LastPass login screen where the user could then enter their user name, master password and two factor authentication code. This information would be sent to the attacker, who would then have access to all of the user’s passwords.
Key to this evil plan was a “cross site request forgery” (CSRF) vulnerability in LastPass, which allowed the attacker to force the user to log out of the password manager. This vulnerability has been fixed in the latest version of the application, so this particular attack will not work today and LastPass users should not panic.
I have been a proponent of password managers in general and LastPass in particular and still think that LastPass, DashLane, Keepass and the like are great solutions for protecting your online accounts. In my opinion, the extra security you achieve by having unique long, strong passwords for each of your accounts outweighs the risks posed by using a password manager.
One of the debates around LassPass and its online brethren is whether their practice of storing encrypted versions of passwords in the cloud to allow them to be shared amongst devices and browsers presents too much of a security risk. Many people prefer to use offline password managers like Keepass which store the encrypted passwords locally. I can see the case for either choice, but I feel that for most people, the ease of use of a synchronized solution like LastPass or DashLane makes it more likely that they will use long, strong, unique passwords for all sites. In particular, the ability to use these programs with both mobile and desktop devices is important – non synchronized password managers can be a pain to use and keep up to date on mobile devices, where we are increasingly leading much of our online lives.
I did take this opportunity, however, to look at LastPass’ main competitors, Dashlane and was quite impressed with it from an ease of use point of view. It definitely gives a superior user experience on the mobile platform, but it does not seem to allow you to store attachments in Secure Notes, which is a LastPass feature I like and use. Dashlane is more expensive than LastPass ($39 per year versus LastPass’ $12 price tag). Dashlane seems to be easier to configure for the non technical user and uses the device itself as a second form of authentication, obviating the need for a separate authorization code. Of course, this means that a stolen phone or iPad could give an attacker access to your passwords, but you can specify a PIN or use the iPhone’s fingerprint reader to control access. I was able to import my LastPass data into Dashlane really easily and they provide a 30 day trial of their premium features, which I am currently taking advantage of. I’ll let you know how it goes.
To summarize, this vulnerability points out how seemingly innocuous vulnerabilities (being able to remotely log someone out of a website or tool) can be leveraged by malicious miscreants for their nefarious purposes. However, it is not a show stopper for LastPass and they seem to have responded in a timely fashion. Password managers are still a great security solution.
It sometimes seems to me that a lack of data is not the issue when patrolling your networks for signs of evil badness… it is quite the opposite – operating systems, security logs and other sources are drowning us in data which we don’t leverage. This talk from DerbyCon 2015, “Intrusion Hunting for the Masses – A Practical Guide” really opened my eyes to a number of ways to leverage data that we already have to look for signs of sophisticated intrusions early in the kill chain. If you manage infosec for your organization or are in the bad guy hunting business, I highly recommend this information and idea packed 45 minute talk by Dave Sharpe (@sharpesecurity). I love stuff like this – you don’t have to make huge investments in new hardware or software to do this kind of analysis and the potential payoffs are pretty big. Best con-talk I have watched in a long time.